Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
From: Jeff Jancula (Jeff@Jancula.com)Date: 09/03/01
- Previous message: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Maybe in reply to: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <00bc01c134ba$4bb81080$a600000a@Jancula.com> From: "Jeff Jancula" <Jeff@Jancula.com> To: "Hicks, John" <JHicks@JUSTICE.GC.CA>, <vuln-dev@securityfocus.com> Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Date: Mon, 3 Sep 2001 16:52:07 -0400
John,
I think you miss the point... IIS does issue a session ID, however you do not have to use it! You can make your own ID up! So, forget about "guessing" someone's session ID, just feed a victim with malicious cross-site scripting or a more permanent cookie (ASPSESSION), and you will KNOW the session ID you gave them.
Hijacking becomes easy then.
Jeff
----- Original Message -----
From: "Hicks, John" <JHicks@JUSTICE.GC.CA>
To: <vuln-dev@securityfocus.com>
Sent: Thursday, August 30, 2001 11:23 AM
Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
> I am not too familiar with Cold Fusion, however, if you run ASP (Active
> Server Page) Applications on your IIS Server, the server issues a Session ID
> to each new session. This is how ASP maintains state across web pages. I
> assume it's the same concept for ColdFusion.
>
> This is an Automatic process for ID generation that I rather random ... so
> theoretically (as MS always likes to put it) yes, they could steal a Session
> ID, but you would have to guess it first, and that would be akin to
> attempting to hijack a TCP/IP session using a guessed TCP/IP sequence
> number.
>
> John Hicks
>
> -----Original Message-----
> From: Lincoln Yeoh [mailto:lyeoh@pop.jaring.my]
> Sent: Thursday, August 30, 2001 1:35 AM
> To: Jeff Jancula; vuln-dev@securityfocus.com
> Subject: Re: Web session tracking security prob. Vulnerable: IIS and
> ColdFusion (maybe others)
>
>
> At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
> >BACKGROUND:
> >
> >When a Internet browser user visits IIS or ColdFusion hosted web sites,
> the web server issues browser commands similar to:
> >
> >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
> >(for CF) Set-Cookie: CFID=123
> >(for CF) Set-Cookie: CFTOKEN=4567890
> >
> >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
> with each subsequent request to the web server. IIS and ColdFusion use
> these values to identify and track each user.
> >
>
> What does CFID=123 mean to cold fusion? Is that the user/session ID?
>
> Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
> Cold Fusion will think it's the same user/session?
>
> If it does then it's a very big problem. If it doesn't, then it may not be
> a problem unless your application assumes that just having a session means
> it's a valid user.
>
> Cheerio,
> Link.
- Previous message: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Maybe in reply to: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
